Ever More Sophisticated Malware Targets Online Banking

Thursday, June 21, 2012

Pierluigi Paganini


(Translated from the original Italian)

Money motivates the cyber assaults against online banking by cybercriminals, but the finance world is also considered a prime target for state-sponsored attacks as part of cyber offense strategies.

Let's consider that the banking world is profoundly changing, with the introduction of mobile devicessocial networks, the openess to web services, the coming of new technologies such as NFC - all are factors that dramatically increase the surface of attack for banking institutes.

We are witnessing a race between criminals and banks who seek to improve security, especially on the web, where crime is consolidating the trend to adopt malware to conduct attacks against user's accounts. Recently a Trojan tool that is able to perform stealth attacks against bank accounts was discovered to be stealing money and covering its tracks.

Malware such as Zeus and SpyEye work by applying a classic man-in-the-middle schema of attack to steal money from the account of victims by using fake login forms to capture a user's credentials. Other malware have been equipped with injection mechanisms that are also able to display altered account balances to hide the amounts stolen.

Recently, Trend Micro published news of the creation of a new toolkit called ATS (Automatic Transfer System) which is composed of Javascript and HTML web-injection scripts used to intercept a users' interaction with online banking forms, providing artifact information of the available funds on the account and also querying and transferring data without user interaction.

With this mechanism it is possible to hide the scam from the target by delaying the discovery of the fraud. This kind of attack is of increasing complexity and requires specific skills from those who are often recruited within the underground market of Eastern European programmers.

The automatic transfer systems (ATSs) have been introduced in some variants of the infamous SpyEye and ZeuS trojans, the nightmares of the banking world. The ATSs are parts of WebInject files known to be a collection of scripts implemented to steal victims’ personal online banking, webmail service, and financial service (e.g., PayPal accounts) account credentials.

As described, JavaScript and HTML code inside the WebInject files are used to create fake login forms and also provide fake account balances hiding the theft from the customers as the illegal transactions made, and the entire process has been totally automated.

Today it is possible to detect various active ATSs in the wild that based on a common framework used by cybercriminals to conduct automated fraud. Typically the schemes use phishing emails with links to tainted pages, malware attachments or drive-by download attacks from malicious or even compromised legitimate sites.

We are also witnessing the emergence of C2C (crime to crime) collaborations, groups of cyber criminals offering services for a fee.

For these specific attacks, an individual that is considered one of the most skilled specialist is know as ArtCard, aka “xs.”, who offers high quality WebInject files whcih are interoperable with either the ZeuS or SpyEye toolkits.

(click image to enlarge)


The banks most often attacked with ATS are located in Italy, UK and Germany, the countries where major investments in security have been observed and where the level of protection is high, so sophisticated techniques to realize scams are needed.

Trend Micro researcher, Loucif Kharouni declared:

“ATS infection is difficult to determine since ATSs silently perform fraudulent transactions in the background. It is, therefore, a good practice to frequently monitor banking statements using methods other than doing so online (i.e., checking balances over the phone or monitoring bank statements sent via mail)...”

The ATS aren't the only cyber threats to banking, we have also other kinds of malware that hit the sector, like the increasing use of DDoS attacks made by hacktivists or foreign states sponsored hackers. And in the last few months another fraud scheme has been deployed to attack banks and financial institutions using ransom Trojans, agents that demand money before attempting to steal user logins.

An example is the Trojan:W32/Reveton, a ransomware application that claims to be from a legitimate law enforcement authority and prevents users from accessing their infected machines while demanding that a 'fine' be paid to restore normal access.

These methods of attack are employed alongside the conventional fraud in the sector such as identity theft and cloning of smartcards. Security experts are also concerned about the rapid spread of new botnets based on P2P technology due the extreme difficulty to counter them.

Finally, as mentioned in the first part of the article, great attention to security must be given at the opening of banking services to mobile and social networks, platforms that are relatively young in which the perception of the cyber threat is low and the adoption of security systems is almost zero, a fruitful ground for cyber criminals.

Online banking is a growing sector that must be adequately protected.

Cross-posted from Security Affairs

Possibly Related Articles:
Viruses & Malware
Trojans malware Mobile Devices Online Banking Cyber Crime Zeus Financial SpyEye Automatic Transfer System
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.